b'             EVALUATION REPORT\n\n\nInformation Security Risk Evaluation of Region I \xe2\x80\x93 King of Prussia, PA\n\n\n               OIG 13-A-06 December 20, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                  WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                   December 20, 2012\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    INFORMATION SECURITY RISK EVALUATION OF\n                            REGION I \xe2\x80\x93 KING OF PRUSSIA, PA (OIG-13-A-06)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) evaluation report titled,\nInformation Security Risk Evaluation of Region I \xe2\x80\x93 King of Prussia, PA.\n\nThe report presents the results of the subject evaluation. The agency agreed with the\nevaluation findings at the October 26, 2012, exit conference, and provided comments\nwhich were incorporated, as appropriate, into this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5911.\n\nAttachment: As stated\n\x0c                         Information Security Risk Evaluation of\n                              Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n                               Contract Number: GS-00F-0001N\n                               NRC Order Number: D12PD01191\n\n                                                 December 17, 2012\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General tasked\n      Richard S. Carson & Associates, Inc., to perform an information security risk evaluation\n      of NRC\xe2\x80\x99s regional offices and the Technical Training Center. This report presents the\n      results of the information security risk evaluation for the Region I office, which is located\n      in King of Prussia, Pennsylvania.\n\nOBJECTIVES\n\n      The Region I information security risk evaluation objectives were to:\n\n             Perform an independent information security risk evaluation of the NRC\n             information technology (IT) security program, policies, and practices for\n             compliance with the Federal Information Security Management Act (FISMA) of\n             2002 in accordance with Office of Management and Budget guidance and Federal\n             regulations and guidelines as implemented at Region I.\n             Evaluate the effectiveness of agency security control techniques as implemented\n             at Region I.\n\nRESULTS IN BRIEF\n\n      Region I has made improvements in its implementation of NRC\xe2\x80\x99s IT security program\n      and practices for NRC IT systems since the previous evaluations in 2003, 2006, and\n      2009. All corrective actions from the previous evaluations have been implemented.\n      However, the Region I IT security program and practices are not always consistent with\n      NRC\xe2\x80\x99s IT security program, as summarized below.\n\n      IT Security Program\n\n      Some NRC-owned laptops do not have a current authority to operate. As a result, Region\n      I is not fully compliant with NRC requirements for laptop systems. Regional IT security\n      program procedures are not kept up-to-date. As a result, steps or processes could be\n      skipped or forgotten if personnel responsible for a particular activity are unavailable. In\n      addition, outdated procedures make it more difficult when training new personnel to\n      handle a specific activity.\n\nRECOMMENDATIONS\n\n      This report makes recommendations to the Executive Director for Operations to improve\n      NRC\xe2\x80\x99s IT security program and implementation of FISMA at Region I. A consolidated\n      list of recommendations appears on page 9 of this report.\n\n\n\n\n                                                i\n\x0c                                                               Information Security Risk Evaluation of\n                                                                        Region I \xe2\x80\x93 King of Prussia, PA\n\n\nAGENCY COMMENTS\n\n     At an exit conference on October 26, 2012, agency officials agreed with the findings and\n     did not provide any changes to the draft report. The agency opted not to submit formal\n     comments.\n\n\n\n\n                                             ii\n\x0c                                                       Information Security Risk Evaluation of\n                                                                Region I \xe2\x80\x93 King of Prussia, PA\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nATO          Authority to Operate\nCSO-STD      Computer Security Office Standard\nFISMA        Federal Information Security Management Act\nISSO         Information Systems Security Officer\nIT           Information Technology\nMD           Management Directive\nNIST         National Institute of Standards and Technology\nNRC          Nuclear Regulatory Commission\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nSGI          Safeguards Information\nSP           Special Publication\n\n\n\n\n                                     iii\n\x0c                                  Information Security Risk Evaluation of\n                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                       Information Security Risk Evaluation of\n                                                                                                Region I \xe2\x80\x93 King of Prussia, PA\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objectives ................................................................................................................. 2\n3 Findings .................................................................................................................... 2\n  3.1 Information Technology Security Program ................................................... 3\n            3.1.1 Region I Laptop Systems ............................................................................... 3\n            FINDING #1: Some Laptops Do Not Have a Current Authority To Operate ............................. 3\n            3.1.2 Laptop System Requirements ....................................................................... 3\n            3.1.3 Agency Has Not Fully Met Requirements ..................................................... 4\n            3.1.4 Regional Procedures and Instructions ......................................................... 4\n            FINDING #2: Regional IT Security Program Procedures Are Not Kept Up-to-Date ................. 5\n            3.1.5 Requirements for Updating Procedures ....................................................... 5\n            3.1.6 Agency Has Not Fully Met Requirements ..................................................... 6\n            3.1.7 Impact on Region I Operations ...................................................................... 6\n4 Consolidated List of Recommendations ............................................................... 9\n5 Agency Comments ................................................................................................ 11\n\nAppendix.               OBJECTIVES, SCOPE, AND METHODOLOGY ......................................... 13\n\n\n\n\n                                                               v\n\x0c                                  Information Security Risk Evaluation of\n                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                               Information Security Risk Evaluation of\n                                                                                        Region I \xe2\x80\x93 King of Prussia, PA\n\n\n1       Background\n\nThe U.S. Nuclear Regulatory Commission (NRC) has four regional offices that conduct\ninspection, enforcement, investigation, licensing, and emergency response programs for nuclear\nreactors, fuel facilities, and materials licensees. The regional offices are the agency\xe2\x80\x99s front line\nin carrying out its mission and implementing established agency policies and programs\nnationwide. The Region I office oversees regulatory activities in the northeastern United States;\nis located in King of Prussia, Pennsylvania; and operates under the direction of a Regional\nAdministrator. The region covers an 11-State area, including 8 States with nuclear power plants,\nas well as the District of Columbia. Region I also oversees all materials licensees in Region II.\n\nOffice of Management and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nagencies to implement and maintain an information technology (IT) security program, including\nthe preparation of policies, standards, and procedures. An effective IT security program is an\nimportant managerial responsibility. Management establishes a positive climate by making\ncomputer security a part of the information resources management process and providing support\nfor a viable IT security program.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002.1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or an independent external auditor.3\n\nNRC maintains an IT security program to provide appropriate protection of information\nresources. In this regard, the role of the NRC OIG is to provide oversight of agency programs,\nincluding the IT security program in support of the NRC goal to ensure the safe use of\nradioactive materials for beneficial civilian purposes while protecting people and the\nenvironment.\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term IT security program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility\xe2\x80\xa6.\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\nIn support of its FISMA obligations, the NRC OIG tasked Richard S. Carson & Associates, Inc.,\nto perform an information security risk evaluation of NRC\xe2\x80\x99s regional offices and the Technical\nTraining Center to evaluate IT security programs in place at those locations, to include an\nassessment of potential physical security weaknesses, and to identify existing problems and\nmake recommendations for corrective actions.\n\nThe information security risk evaluation focused on the following elements of NRC\xe2\x80\x99s IT security\nprogram, policies, and practices:\n\n       Physical and Environmental Security Controls.\n       Logical Access Controls.\n       Configuration Management.\n       Continuity of Operations and Recovery.\n       IT Security Program.\n\nThis report presents the results of the information security risk evaluation for Region I. A\nconsolidated list of recommendations appears on page 9.\n\n2      Objectives\n\nThe Region I information security risk evaluation objectives were to:\n\n       Perform an independent information security risk evaluation of the NRC IT security\n       program, policies, and practices for compliance with FISMA in accordance with OMB\n       guidance and Federal regulations and guidelines as implemented at Region I.\n       Evaluate the effectiveness of agency security control techniques as implemented at\n       Region I.\n\nThe report appendix contains a description of the evaluation objectives, scope, and methodology.\n\n3      Findings\n\nRegion I has made improvements in its implementation of NRC\xe2\x80\x99s IT security program and\npractices for NRC IT systems since the previous evaluations in 2003, 2006, and 2009. All\ncorrective actions from the previous evaluations have been implemented. However, the Region I\nIT security program and practices are not always consistent with NRC\xe2\x80\x99s IT security program as\ndefined in Management Directive (MD) and Handbook 12.5, NRC Automated Information\nSystems Security Program; other NRC policies; FISMA; and National Institute of Standards and\nTechnology (NIST) guidance. While many of the Region I automated and manual IT security\ncontrols are generally effective, some IT security controls need improvement. Specifics on the\nRegion I IT security program are described in the following section.\n\n\n\n\n                                                 2\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\n3.1    Information Technology Security Program\n\nOverall, Region I is following agency security policies and procedures regarding IT security.\nRegion I has developed regional implementing instructions that are generally up-to-date and are\navailable on the Region I internal Web site. Staff receive training regarding IT security during\nnew employee orientation, the Information Systems Security Officer (ISSO) sends periodic\ncybersecurity reminders via e-mail on topics such as locking your workstation and phishing, the\nISSO maintains a SharePoint portal containing announcements on various cybersecurity topics,\nand there is a Web page for Region I \xe2\x80\x9cHow-To\xe2\x80\x9d instructions. Users are generally aware of and\nare following agency and Region I IT security policies and procedures.\n\nHowever, the evaluation team found issues with the Region I laptop systems and with keeping\nRegion I IT security program procedures up-to-date.\n\n3.1.1 Region I Laptop Systems\n\nLaptops in use at Region I are either seat-managed laptops or NRC-owned laptops. Seat-\nmanaged laptops in use at Region I include those laptops that are part of the agency\xe2\x80\x99s new\nworking from anywhere/mobile desktop program. NRC-owned laptops in use at Region I\ninclude a pool of loaner laptops, laptops in conference rooms, and laptops used to process\nsafeguards information (SGI) or classified information.\n\nFINDING #1: Some Laptops Do Not Have a Current Authority To Operate\n\nThe NRC Laptop Security Policy, which specifies the requirements for authorization of laptop\nsystems, states that all NRC laptops must be either designated a system or included as part of an\nexisting system. NRC-owned laptops in use at Region I include a pool of loaner laptops, laptops\nin conference rooms, and laptops used to process SGI or classified information. However, the\nevaluation team found that some NRC-owned laptops do not have a current authority to operate\n(ATO). As a result, Region I is not fully compliant with NRC requirements for laptop systems.\n\n3.1.2 Laptop System Requirements\n\nThe NRC Laptop Security Policy states that all NRC laptops must either be designated a system\nor be included as part of an existing system. All laptops that are not seat-managed are\nconsidered to be organization-managed, i.e., NRC-owned. All NRC-owned laptops that process\nor access classified national security information belong to that office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified\nLaptop System.\xe2\x80\x9d All NRC-owned laptops that process or access SGI and are not part of the\noffice\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System.\xe2\x80\x9d\nAll NRC-owned laptops that are not part of the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d\nor the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cGeneral Laptop\nSystem.\xe2\x80\x9d\n\n\n\n\n                                                 3\n\x0c                                                                    Information Security Risk Evaluation of\n                                                                             Region I \xe2\x80\x93 King of Prussia, PA\n\n\nThe NRC Laptop Security Policy also specifies the following requirements for authorization\n(formerly referred to as accreditation):\n\n       Laptop systems must meet the requirements provided in the relevant standard security\n       plan. There is a different standard security plan for classified, SGI, and general laptops.\n       Laptop systems must be certified by the system owner as compliant with the relevant\n       laptop system requirements.\n       Laptop systems must be accredited by the appropriate Designated Approving Authority\n       prior to processing any relevant (i.e., classified, SGI, sensitive unclassified) information\n       on the system.\n       Certification of a laptop system requires a system certification memorandum from the\n       laptop system owner. The memorandum must include an enclosure that provides the\n       names and contact information for the System Owner, Certification Agent, ISSO,\n       Alternate ISSO, and System Administrator.\n       For each laptop or removable hard drive that is part of the laptop system, the enclosure\n       must provide information such as physical storage location, location where system is\n       used, brand, model, tag number, peripherals, etc.\n\n3.1.3 Agency Has Not Fully Met Requirements\n\nRegion I has not established a general laptop system, which would include their pool of loaner\nlaptops and laptops found in conference rooms. However, the Region I laptop pool is in the\nprocess of being decommissioned, with all loaner laptops and laptops in the conference rooms to\nbe replaced with mobile desktops. Therefore, there is no need for Region I to establish a Region\nI general laptop system to cover these systems.\n\nIn addition, Region I has 20 SGI laptops, 7 standalone desktops, and 8 \xe2\x80\x9csensitive\xe2\x80\x9d hard drives\nstill on the NRC inventory of systems as well as a system called the Region I SGI Automated\nInventory System, which may include the laptops, standalone desktops, and sensitive hard drives.\nThe NRC inventory indicates some of these laptops, standalone desktops, and sensitive hard\ndrives, have authorizations to operate that expired in early 2009, while some never had an\nauthorization to operate. The NRC inventory also indicates the Region I SGI Automated\nInventory System never had an authorization to operate. Region I is in the process of\ndecommissioning all laptops, standalone desktops, and sensitive hard drives used to process SGI.\nTherefore, there is no need for Region I to establish a Region I SGI laptop system to cover these\nsystems.\n\n3.1.4 Regional Procedures and Instructions\n\nRegion I uses regional implementing instructions when (i) agency policy requires a regional\nimplementing instruction, (ii) clarification is required to help staff understand the agency policy\nor guidance document, (iii) regional management establishes expectations beyond those in the\nagency policy or guidance document and specific guidance is required to assure consistent\nimplementation, or (iv) there is no specific agency policy or guidance on an issue that regional\nmanagement concludes requires a regional policy or implementing instruction to assure\n\n\n                                                 4\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\nconsistent implementation. Regional implementing instructions include regional instructions and\ndivisional instructions, directives, and policies, which establish requirements and expectations,\nand therefore have strict controls for review and maintenance. Regional implementing\ninstructions also include regional \xe2\x80\x9cHow-To\xe2\x80\x9d instructions and standard operating procedures,\nwhich are informational in nature and therefore do not require the same level of review and\nmaintenance. Regional instructions and divisional instructions, directives, and policies must be\nreviewed at least every 3 years and \xe2\x80\x9cHow-To\xe2\x80\x9d instructions and standard operating procedures\nmust be reviewed periodically by the responsible organization to determine if changes are\nnecessary.\n\nThe following are some examples of regional implementing instructions specific to the Region I\nIT security program:\n\n       Region I Instruction 0710.1, Region I Security Plan, Revision 9, dated March 21, 2006 \xe2\x80\x93\n       establishes policies, procedures, and responsibilities for assuring protection of personnel,\n       information, and property.\n       Region I Instruction 0730.1, NRC Identification Badge Issuance and Protection, Revision\n       4, dated August 7, 2005 \xe2\x80\x93 provides guidance concerning issuance of badges to regional\n       personnel.\n\nFINDING #2: Regional IT Security Program Procedures Are Not Kept Up-to-Date\n\nNRC has developed several security standards that specify the frequency of reviewing and\nupdating IT security program procedures. However, regional implementing instructions specific\nto the Region I IT security program are not kept up-to-date. As a result, steps or processes could\nbe skipped or forgotten if personnel responsible for a particular activity are unavailable. In\naddition, outdated procedures make it more difficult when training new personnel to handle a\nspecific activity.\n\n3.1.5 Requirements for Updating Procedures\n\nNRC Computer Security Office Standard (CSO-STD) 0020, Organization Defined Values for\nSystem Security Controls, Revision 1.1, dated July 1, 2012, defines the mandatory values for\nspecific controls in the 18 security control families described in NIST SP 800-53. The standard\nrequires that documented procedures to facilitate the implementation of a control should be\nreviewed and updated annually. The standard also requires system owners to review system\nsecurity plans at least annually and update them to address changes to the information system\nand/or environment of operation. NRC CSO-STD-2001, Operating Procedures Standard, V1.1,\ndated April 15, 2011, states that documented and periodically reviewed operational procedures\nand responsibilities capture the requirements for secure operation of information systems and\neffective management and support of IT systems. This standard requires system owners to\nensure operating procedures are reviewed and approved on a periodic basis, at least annually.\n\nRegional Instruction 0180.1, Region I System of Instructions, Revision 6, dated October 15,\n2012, establishes the process and requirements for developing and maintaining regional\nimplementing instructions. Regional instruction 0180.1 requires regional instructions and\n\n\n                                                5\n\x0c                                                                                   Information Security Risk Evaluation of\n                                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\ndivisional instructions, directives and policies to be reviewed at least every 3 years and \xe2\x80\x9cHow-\nTo\xe2\x80\x9d instructions and standard operating procedures to be reviewed periodically by the\nresponsible organization to determine if changes are necessary.\n\n3.1.6 Agency Has Not Fully Met Requirements\n\nRegion I has developed several regional implementing instructions specific to the Region I IT\nsecurity program. However, the evaluation team found that the following regional implementing\ninstructions are not up-to-date.\n\n           Region I Instruction 0710.1, Region I Security Plan \xe2\x80\x93 several sections need to be updated\n           to reflect access controls at the new office location. Region I moved from 475 Allendale\n           Road to 2100 Renaissance Boulevard in May 2012. The document also does not describe\n           the current access control procedures for visitors. For example, a different form is used\n           for visitor registration and some of the functions described in this document are now\n           performed by the protective security officer4 (e.g., issuing temporary badges, ensuring all\n           issued badges are returned, and ensuring visitors are logged in/out) and not the\n           receptionist.\n           Region I Instruction 0730.1, NRC Identification Badge Issuance and Protection \xe2\x80\x93 this\n           document does not describe the current badge issuance procedures and references old\n           badge categories that are no longer in use at the agency.\n\nRegion I is in the process of updating Region I Instruction 0710.1, Region I Security Plan, with a\ntarget completion date of November 30, 2012. Region I is in the process of determining whether\nthe target completion date needs to be extended due to a change in focus for the document.\nRegion I has issued an interim document, Security Access to Region I Office, which describes the\ncurrent access controls in place for both NRC employees and visitors, but not to the level of\ndetail found in Region I Instruction 0710.1.\n\nRegional Instruction 0180.1, Region I System of Instructions, requires regional instructions to be\nreviewed at least every 3 years by the responsible organization to determine if changes are\nnecessary. However, per NRC security standards, some procedures require more frequent\nreview and update \xe2\x80\x93 at least annually for documented procedures to facilitate the implementation\nof security controls in the 18 security control families described in NIST SP 800-53 and for\noperational procedures that capture the requirements for secure operation of information systems\nand for effective management and support of IT systems.\n\n3.1.7 Impact on Region I Operations\n\nOutdated procedures can result in steps or processes being skipped or forgotten if personnel\nresponsible for a particular activity are unavailable. In addition, outdated procedures make it\nmore difficult when training new personnel to handle a specific activity. Current procedures\nensure continuity in performing a specific IT security function in the event of staff turnover and\nare excellent for training new personnel and an excellent reference for existing personnel.\n\n4\n    Region I contracts through the Federal Protective Service for security guard services.\n\n\n                                                             6\n\x0c                                                              Information Security Risk Evaluation of\n                                                                       Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\nRECOMMENDATIONS\n\n  The Office of the Inspector General recommends that the Executive Director for Operations:\n\n  1. Update Region I Instruction 0710.1, Region I Security Plan, to reflect the new office\n     location, describe the current access control procedures for visitors, and describe\n     functions now performed by the security guards.\n  2. Update Region I Instruction 0730.1, NRC Identification Badge Issuance and Protection,\n     to describe the current badge issuance procedures and to reflect the current NRC\n     employee badge characteristics.\n  3. Update Regional Instruction 0180.1, Region I System of Instructions, to specify which\n     regional implementing instructions require annual review and update.\n\n\n\n\n                                             7\n\x0c                                  Information Security Risk Evaluation of\n                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n               8\n\x0c                                                                Information Security Risk Evaluation of\n                                                                         Region I \xe2\x80\x93 King of Prussia, PA\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update Region I Instruction 0710.1, Region I Security Plan, to reflect the new office\n       location, describe the current access control procedures for visitors, and describe\n       functions now performed by the security guards.\n    2. Update Region I Instruction 0730.1, NRC Identification Badge Issuance and Protection,\n       to describe the current badge issuance procedures and to reflect the current NRC\n       employee badge characteristics.\n    3. Update Regional Instruction 0180.1, Region I System of Instructions, to specify which\n       regional implementing instructions require annual review and update.\n\n\n\n\n                                              9\n\x0c                                  Information Security Risk Evaluation of\n                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              10\n\x0c                                                                  Information Security Risk Evaluation of\n                                                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n5      Agency Comments\n\nAt an exit conference on October 26, 2012, agency officials agreed with the findings and did not\nprovide any changes to the draft report. The agency opted not to submit formal comments.\n\n\n\n\n                                               11\n\x0c                                  Information Security Risk Evaluation of\n                                           Region I \xe2\x80\x93 King of Prussia, PA\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              12\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                            Region I \xe2\x80\x93 King of Prussia, PA\n\n\nAppendix.         OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES\n\nThe Region I information security risk evaluation objectives were to:\n\n        Perform an independent information security risk evaluation of the NRC IT security\n        program, policies, and practices for compliance with FISMA in accordance with OMB\n        guidance and Federal regulations and guidelines as implemented at Region I.\n        Evaluate the effectiveness of agency security control techniques as implemented at\n        Region I.\n\nSCOPE\n\nThe scope of this information security risk evaluation included:\n\n        The three floors Region I occupies at 2100 Renaissance Boulevard, King of Prussia,\n        Pennsylvania 19406-2713.\n        Region I seat-managed equipment.\n        Region I NRC-managed equipment.\n\nThe information security risk evaluation did not include controls related to the management of\nsafeguards or classified information.\n\nThe evaluation work was conducted during a site visit to Region I in King of Prussia, PA,\nbetween October 22, 2012, and October 26, 2012. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible. Throughout the\nevaluation, evaluators were aware of the potential for fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted a high-level, qualitative evaluation of the NRC\nIT security program, policies, and practices as implemented at Region I, and evaluated the\neffectiveness of agency security control techniques as implemented at Region I.\n\nIn conducting the information security risk evaluation, the following areas were reviewed:\nphysical and environmental security controls, logical access controls, configuration management,\ncontinuity of operations and recovery, and IT security program. Specifically, the evaluation\nteam conducted site surveys of the three floors Region I occupies at 2100 Renaissance\nBoulevard, King of Prussia, Pennsylvania 19406-2713, focusing on the areas that house IT\nequipment. The team conducted interviews with the Region I ISSO, the seat-management server\nadministrator, the Region I server administrator, and other Region I staff members responsible\nfor implementing the agency\xe2\x80\x99s IT security program at Region I. The evaluation team also\nconducted user interviews with 16 Region I employees, including 3 Resident Inspectors and 4\nteleworkers. The team reviewed documentation provided by Region I including floor plans,\n\n\n\n                                                13\n\x0c                                                                 Information Security Risk Evaluation of\n                                                                          Region I \xe2\x80\x93 King of Prussia, PA\n\n\ninventories of hardware and software, local policies and procedures, security plans, backup\nprocedures, contingency plans, and the Occupancy Emergency Plan. The information security\nrisk evaluation also included a network vulnerability assessment scan of the Region I network\nand the Region I Resident Inspector sites.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       NRC MD and Handbook 12.5, NRC Automated Information Security Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe work was conducted by Jane M. Laroussi, CISSP, CAP, GIAC ISO-17799, and Diane\nReilly, from Richard S. Carson & Associates, Inc.\n\n\n\n\n                                               14\n\x0c'